Good case for avoiding sensitive information in url

Nothing extraordinary here, just an interesting case I came across today. This can be one of the examples we can give to app teams too.



Someone posted a link from well known forum about some discussions on my WhatsApp group today. Upon clicking, it opened in the browser, after a while it prompted me to post something then I noticed that it wasn’t my name. :D Instead it was addressing me as ‘Ronnie’.



We both were surprised and amused. Then I searched all my emails and WhatsApp chats to find that once, long time back Ronnie had posted a link from the same forum to me, which was very long and contained probably session information, token etc.



Now this would have happened in background:

·         The long link (URL), from Ronnie, contained session information/ token in the URL

·         The session token has been persistent and active for a pretty long duration (almost 6 months)

·         I clicked a new unrelated link today from another group and Ronnie’s session token was replayed, logging me as Ronnie



This is one of the classic cases why we should avoid sending sensitive information in URLs (GET request) J

Comments

Popular posts from this blog

SQL Injection in search field

File Upload through Null Byte Injection